Azure Identity And Access Management Part 2 – Azure Active Directory – Enterprise Users
Hello Friends,
I hope you all are healthy and doing good in this critical situation . In our last article we have discussed about the Azure Active Directory – Overview.
In this article, we will continue with Azure AD and explore most important features provided by Azure Active Directory service. I have collected most of the information from different Microsoft articles in to this article.
If you have missed our previous article on Azure Identity And Access Management (IAM), please check it in following link.
Part 1 – Azure Active Directory – Overview
Next Article : Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell
Enterprise User Management
An enterprise user is one who is defined and managed in a directory. Each enterprise user has a unique identity across an enterprise. Enterprise user management means,
- By using Azure AD services, for example, Group service, Administrator role assignments service, Enterprise identity service etc to manage Users, Groups, Licences and Roles.
- Administering of enterprise-wide users and it’s access to Target.
Manage Users
User is considered as the building block of Azure Active Directory. To recognize an user, each User must have an account created in active directory. There are different approaches to add a new user in azure active directory. Adding User account through Azure Portal and using power-shell . Let’s proceed with those approaches.
Add New User
When we are adding a new user to our enterprise active directory, many questions comes to our mind like, if it is a new fresh user or do we need to invite a guest user or are we going to create a user for our consumer. So we can add following 3 types of user as per the requirement. To add a new user the person must be a User administrator or Global administrator. let’s go to Azure Active Directory landing page.
Normal User : When we want to create a new account for a new user in our enterprise. Create the user in the active directory by clicking +New User button or if we want to add a bulk of users then click on Bulk Create button and provide all user inputs in a CSV file ( UserCreateTemplate.csv) as shown in the following figure.
Power-Shell
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile $PasswordProfile.Password = “MyPwd*1234” New-AzureADUser -DisplayName “New User” -PasswordProfile $PasswordProfile -UserPrincipalName “Manas@Knowledge-Junction.com” -AccountEnabled $true -MailNickName “Manas”
Guest User : We can also invite new guest users to collaborate with our organization by selecting Invite user from the New user page. The user will be emailed an invitation they must accept in order to begin collaborating. We can call the B2B (Business-To-Business) user. As we can create bulk users , we can also invite bulk guest. But the bulk invite through portal option is disabled . We can invite bulk guest using power shell .
Power-Shell :
New-AzureADMSInvitation -InvitedUserDisplayName “Manas” -InvitedUserEmailAddress manasmoharana@gmail.com -InviteRedirectURL https://myapps.microsoft.com -SendInvitationMessage $true
Consumer User (Azure AD B2C): Sometimes enterprises / organisations wants to create accounts for their consumers in Azure Active Directory B2C (Azure AD B2C) directory and we can call it B2C (Business-To-Cusumer) user. Same way we can add bulk user we can invite guest users to this directory as shown in the following figure.
Note: Azure AD B2C service helps to manage customer, consumer and citizen access to our web, desktop, mobile or single-page applications. Built on the Azure Active Directory (Azure AD) identity platform, which supports more than 1 billion identities worldwide. there are three types of user accounts that can be created in an Azure AD B2C directory ( Work, Guest, Consumer).We can say it is a user store in cloud. If time permit we can have a separate article on this B2C user.
Power-Shell :
We can use New-AzureADUser as shown in the above figure 2.1 and set the -CreationType to LocalAccount to create a local account for a B2C tenant. This property indicates whether the user account is a local account for an Azure Active Directory B2C tenant. Possible values are “LocalAccount” and null.
Hybrid User : When we have an environment with both Azure Active Directory (cloud) and Windows Server Active Directory (on-premises), we can add new users by syncing the existing user account data. Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
To successfully configure hybrid identity with Azure AD, one of following three authentication methods can be used. The selection of authentication methods depending on our organisation’s requirement. We will have separate articles for each of the following authentication method.
- Password hash synchronization (PHS)
- Pass-through authentication (PTA)
- Federation (AD FS)
Delete Existing User
we can delete an existing user using Azure Active Directory portal or using power shell. There are two different way to delete users, we can delete users using one by one or using a bulk delete button by providing a list of user in a csv file.The user can be seen on the Deleted users page for the next 30 days and can be restored during that time.
Power-Shell :
Remove-AzureADUser -ObjectId “udayjoshi-1234@gmail.com“
Get-AzureADUser -Filter “startswith(DisplayName,’Prasham’)” | Remove-AzureADUser
Modify Existing User Profile
After user added, there’s more information available in a user’s profile than what we were able to add during the user’s creation. All this additional information is optional and can be added as needed by our organization.
Power-Shell :
$user = Get-AzureADUser -ObjectId Manasmoharana@knowledge-Junction.com
$user.DisplayName = ‘Manas Ranjan Moharana’
Set-AzureADUser -ObjectId TestUser@example.com -Displayname $user.Displayname
Manage Groups
Azure Active Directory (Azure AD) lets us create and use groups to manage access to our cloud-based apps, on-premises apps, and our resources. A Group is added to a single resource by the resource owner (administrator) and includes specific members (employees) that need to access that resource.
Note: In the Azure portal, we can see some groups whose membership and group details we can’t manage in the portal ,
1) Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
2) Other group types such as distribution lists and mail-enabled security groups are managed only in Exchange admin center or Microsoft 365 admin center.
- Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory.
- Other group types such as distribution lists and mail-enabled security groups are managed only in Exchange admin center or Microsoft 365 admin center.
Types Of Group
- Synced groups : This groups are synced from On-Premise group to Azure active directory.
- Cloud Groups : Groups created directly in Azure portal.
Create Group In Azure Portal
We can create an Azure Group using the Azure Active Directory (Azure AD) portal or power-shell. We can create a basic group and add our members at the same time. We can add new members to a Group anytime as per the requirement. When we create an Azure AD group, we need to consider following two main properties and both are require fields.
1) Group Type : As we discussed, Cloud groups can be created through Azure portal. Cloud Group has two sub types as Security and Office 365. There are differences between two sub-types but the basic different is by-default Office 365 Group is mail enabled.
2) Membership Type : There are 3 different options available to specify how the members of this group will be added . We can configure as per the requirements. Those options are as in following.
- Assigned : Administrator of the group needs to manually add members to this group.
- Dynamic Users : rule should be configured and users are added automatically, if it satisfy the rule.
- Dynamic Device: rule should be configured and devices are added automatically, if it satisfy the rule.
Using Azure Active Directory (Azure AD) portal, administrator can also add a large number of members to a group by using a comma-separated values (CSV) file to bulk import group members.
Create Dynamic Group
Dynamic Group in Azure AD, where we can use rules to determine group membership based on user or device properties. Security groups can be used for both devices or users, but Office 365 groups support only user groups. The membership of users and devices are added or removed if they meet the conditions for the group. When configuring a dynamic membership rule, on the Validate rules tab, we can validate your dynamic rule against sample group members to confirm the rule is working as expected. In this way dynamic group membership reduces the administrative overhead of adding and removing users.
Note: we can create a dynamic group for devices or for users, but we can’t create a rule that contains both users and devices.
Add Member to Group
Once we have our group ready, we can add members, add owner, assign license etc. As shown in the following figure, we can go to Members section and click +Add Member button to add a new member to the group. Same way we can manage licence , applications for the group.
Power-Shell :
New-AzureADGroup -DisplayName “Knowledge Junction Team” -MailEnabled $true -MailNickName “Knowledge-Junction” -SecurityEnabled $true
Add Member To Exiting Group :
In the following command, ObjectId value represent the group and RefObjectId value represent the user.
Add-AzureADGroupMember -ObjectId “89638306-7c37-4638-a72d-0ee8d9957300” -RefObjectId “0g56788c0-dbb6-4537-9db3-b48f3e89ln98”
Delete Group In Azure Portal
As shown in the above figure to delete Azure Group we need to select the group we want to delete and click on Delete button to delete the selected group. We can remove a large number of members from a group by using a comma-separated values (CSV) file to bulk remove group members. We can also modify general setting of a existing group .
Note :When we delete an Office 365 group in the Azure Active Directory (Azure AD), the deleted group is retained but not visible for 30 days from the deletion date. This behavior is so that the group and its contents can be restored if needed. But this option is not available for Security groups. Don’t use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an Office 365 group.
Power-Shell :
In following command, ObjectId value represent the group and MemberId value represent the user’s Object Id.
Remove-AzureADGroupMember -ObjectId 8j90d5ee-8383-44d1-9fbd-85cb4dcc2h6k -MemberId k8jeced9-909e-4684-8798-o0f242458390
Self service Group Management
Administrator can enable users to create and manage their own Security groups or Office 365 groups in Azure Active Directory (Azure AD). The owner of the group can approve or deny membership requests. Access panel took major role here .The Access Panel is a web-based portal that allows an end user with an organizational account in Azure Active Directory to view and launch cloud-based applications to which they have been granted access by the Azure AD administrator. Following figure shown the available options to configure Self Service for Groups.
Along with the above configuration the following two options under Setting section as shown in the following figure, also allow us to configure self service group management.
Groups Naming policy
This option has two different configuration section . The first one is “Blocked Words” . It allow us to configure set of keyword/words , our organisation wish to block as a group name. As shown in the following figure , we can download a template CSV file and update the template by adding our words separated by coma and upload the template and save the configuration.
And the second one is “Group Naming Policy“. It allow us to configure Prefix or Suffix for the group , so that the prefix or suffix will be associate automatically, when create a new group.
Group Expiration
Admin can manage the life-cycle of Office 365 groups by setting an expiration policy for them in Azure Active Directory (Azure AD). So that renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams.
Manage licenses
There are many Azure AD services, which ask organisation, to provide license to each of their users or groups for that service. Only users with active licenses will be able to access and use the licensed Azure AD services for which that’s true.
Assign License
Before we assign license to any user or group, we should verify the availability of the licence product, if we have sufficient unused license with us as shown in the following figure.
As shown in the above figure, select the products/licences and click +Assign button to proceed. As shown in the following figure, select users/groups to whom we want to assign the license.
Once we select users or groups, the next step is to configure the services provided by the license . We can turn off or on the available services as shown in the following figure and click OK button to proceed. Again Click Assign button to complete the assignment of License.
Now in the following figures, we can see that the selected group “KnowledgeJunction” has the license to use all services.
Power-Shell :
$license = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$newlicence.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value “ENTERPRISEPREMIUM” -EQ).SkuId
$license.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value “ENTERPRISEPREMIUM” -EQ).SkuID
$licenses.AddLicenses = $license
Set-AzureADUserLicense -ObjectId “Alpik.sutar@knowledge-junction.com” -AssignedLicenses $licenses
Remove License
Admin can use Azure portal when organisation want to remove the assignment of a license from any user/group or want to turn of few services from the assigned license. Following steps can be followed.
- After login to the Azure AD , click on Licences of the selected group .
- Select the licence we want to remove or modify.
- Click on Remove button to remove the license or Click on save button after re-configure the available services as shown in the following figure.
Power-Shell :
$license4Remove = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$license4Remove.RemoveLicenses = (Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq “ENTERPRISEPREMIUM”}).SkuId
Set-AzureADUserLicense -ObjectId “dholi.sutara@knowledge-junction.com” -AssignedLicenses $license4Remove
Change License Assignments
Some times organisation need to make changes in license assignment from higher to lower or lower to higher. It means, move users and groups between service license plans in Azure Active Directory (Azure AD). Azure AD’s approach helps to ensure that there’s no loss of service or data during the license change. Users should switch between services seamlessly. When we update license assignments for a user or group, the license assignment removals and new assignments are made simultaneously so that users do not lose access to their services during license changes or see license conflicts between plans. We need to make sure that we check all the required service from new licence as shown in the following figure.
Note: It’s important to verify certain assumptions are true for all of the users or groups to be updated. This articles is not includes those assumptions. Please refer Microsoft document for additional information.
Useful Additional Information From MS
- Identify and resolve license assignment problems for a group in Azure Active Directory
- Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory
In this article, I have tried to summarize my understanding in one article but still many useful topics required more detail level. I will try to explore those topics in my upcoming articles. Please let us know your comments, suggestions or if I missed anything important here on Azure AD .
Next Article : Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .
Hi Bro Nice article…..
Can i ask you a question regarding user groups in AZURE AAD.
when the user is being added to the group (for example john.doe@knowledge-junction.com where @knowledge-junction.com would be the acceptable syntax). The thought is, if we can control this by having some sort of check confirming that the user’s domain is what is approved for this group. As we have to create multiple external user groups.